New zero-day affects all versions of phpMyAdmin found
- A cross-site request forgery (CSRF) flaw, or XSRF, was identified in phpMyAdmin
- The vulnerability doesn’t give much access to an attacker other than the URL of a targeted server
Overview: phpMyAdmin is one of the most popular, and free, tools for managing the MySQL and MariaDB databases over the web.
An unpatched zero-day vulnerability has been discovered in phpMyAdmin by a cybersecurity researcher that can allow attackers to trick authenticated users into executing an unwanted action. However, on the safer side, the flaw doesn't allow attackers to delete any database or table stored on the server.
What do we know so far: The security researcher and pentester Manuel Garcia Cardenas recently published details and proof-of-concept on the zero vulnerability in phpMyAdmin, the widely used tool to manage the database for websites created with Joomla, WordPress, and many other content management platforms.
- The vulnerability identified as CVE-2019-12922 is a cross-site request forgery (CSRF) flaw, also known as XSRF--a well-known flaw.
- Given a medium rating, the vulnerability only allows an attacker to delete any server configured in the setup page of a phpMyAdmin panel on a victim's server.
Steps for intrusion: An attacker only has to send a crafted URL to a logged-in targeted web administrators on the same browser. As soon as they click on it, it will have them tricked for unknowingly deleting the configured server.
- First, the intruder has to be authenticated; after this procedure, the SQL query will create a session.
- Invoking the ../../../../../..../var/lib/sessionId, the attack can be performed.
Business Impact: According to the researcher’s post to the Full Disclosure mailing list “The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.”
Solution Suggested: “Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests,” the researcher suggests.
However, the vulnerability is non-serious because an attacker has to know nothing beyond the URL of a targeted server to manipulate the users.